From a8a11cdd893384c14a089bbac70e66b62f3364fb Mon Sep 17 00:00:00 2001
From: npmrun <1549469775@qq.com>
Date: Mon, 20 Apr 2026 20:19:33 +0800
Subject: [PATCH] fix(config): mask smtp password in global put response

Prevent commentSmtpPass from being echoed in PUT responses while preserving existing response behavior for all other config keys.

Made-with: Cursor
---
 server/api/config/global.put.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/api/config/global.put.ts b/server/api/config/global.put.ts
index ce392ac..32d8078 100644
--- a/server/api/config/global.put.ts
+++ b/server/api/config/global.put.ts
@@ -12,6 +12,13 @@ type UpdateGlobalConfigBody = {
     value: unknown;
 };
 
+function toSafeResponseValue(key: string, value: unknown) {
+    if (key === "commentSmtpPass") {
+        return "";
+    }
+    return value;
+}
+
 export default defineWrappedResponseHandler(async (event) => {
     try {
         await requireAdmin(event);
@@ -23,7 +30,7 @@ export default defineWrappedResponseHandler(async (event) => {
         const value = await event.context.config.getGlobal(key);
         return R.success({
             key,
-            value,
+            value: toSafeResponseValue(key, value),
         });
     } catch (err) {
         throw toPublicConfigError(err);